Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx>
---
src/objects.md | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/src/objects.md b/src/objects.md
index 58664ef..aadb539 100644
--- a/src/objects.md
+++ b/src/objects.md
@@ -110,14 +110,20 @@ objects is managed by the system and generally unseen by the users
(until labeling goes wrong !!). As processes and objects are created and
destroyed, they either:
-1. Inherit their labels from the parent process or object.
+1. Inherit their labels from the parent process or object. The policy
+ default type, role and range statements can be used to change the
+ behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules)
+ section.
2. The policy type, role and range transition statements allow a
different label to be assigned as discussed in the
[**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions)
section.
3. SELinux-aware applications can enforce a new label (with the
policies approval of course) using the **libselinux** API
- functions.
+ functions. The `process setfscreate` access vector can be used to
+ allow subjects to create files with a new label programmatically
+ using the ***setfscreatecon**(3)* function, overriding default
+ rules and transition statements.
4. An object manager (OM) can enforce a default label that can either
be built into the OM or obtained via a configuration file (such as
those used by
@@ -269,6 +275,20 @@ and manage their transition:
`type_transition`, `role_transition` and `range_transition`
+SELinux-aware applications can enforce a new label (with the policies
+approval of course) using the **libselinux** API functions. The
+`process setexec`, `process setkeycreate` and `process setsockcreate`
+access vectors can be used to allow subjects to label processes,
+kernel keyrings, and sockets programmatically using the
+***setexec**(3)*, ***setkeycreatecon**(3)* and
+***setsockcreatecon**(3)* functions respectively, overriding
+transition statements.
+
+The `kernel` and `unlabeled` **initial security identifiers** are used
+to associate specified labels with subjects that were left unlabeled
+due to initialization or with subjects that had their label
+invalidated due to policy changes at runtime respectively.
+
### Object Reuse
As GNU / Linux runs it creates instances of objects and manages the
--
2.27.0
